Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / pdfium / 783a7e048c677d26aaf3884304627bbe27cff546^! / . / xfa / fxfa / app / xfa_fftext.cpp
commit783a7e048c677d26aaf3884304627bbe27cff546[log] [tgz]
authortsepez <tsepez@chromium.org>Tue Jan 17 11:05:57 2017 -0800
committerCommit bot <commit-bot@chromium.org>Tue Jan 17 11:05:57 2017 -0800
treeb03feaa32114472f54855c1b702e5bfda28d2be1
parentb9fbe6e9af590a91ab030d2523a147e972816b32 [diff] [blame]
Avoid endless loop deleting CFGAS_GEFont.

It's a ref-counted class, so if we're in the destructor, the ref
count has hit zero. We can't make a new ref pointer to itself here,
as it will re-invoke the destructor when it goes out of scope. This
should have been an obvious anti-pattern in hindsight.

The object in question can't be in the m_pFontManager, since the font
manager retains a reference, and we wouldn't get to this destructor
while that is present. So the cleanup isn't required.

Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp.
I also converted to use unique_ptrs in a few places near this issue.

Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr
is not a good idea as it doesn't bump the ref count.

Also protect and friend the CFGAS_GEFont destructor, to make sure
random deletes don't happen.

Also kill off a const cast, and remove unnecessary conversion to
retain_ptr when we already have one.

TEST=look for absence of -11 in XFA corpus test logs, bots not
     currently noticing the segv.  Argh.

Review-Url: https://codereview.chromium.org/2631703003

diff --git a/xfa/fxfa/app/xfa_fftext.cpp b/xfa/fxfa/app/xfa_fftext.cpp
index 2307ea0..3d2c9a6 100644
--- a/xfa/fxfa/app/xfa_fftext.cpp
+++ b/xfa/fxfa/app/xfa_fftext.cpp

@@ -153,22 +153,17 @@
 }
 const FX_WCHAR* CXFA_FFText::GetLinkURLAtPoint(FX_FLOAT fx, FX_FLOAT fy) {
   CXFA_TextLayout* pTextLayout = m_pDataAcc->GetTextLayout();
-  if (!pTextLayout) {
+  if (!pTextLayout)
     return nullptr;
-  }
-  FX_FLOAT x(fx), y(fy);
+
+  FX_FLOAT x(fx);
+  FX_FLOAT y(fy);
   FWLToClient(x, y);
-  const CFX_ArrayTemplate<CXFA_PieceLine*>* pPieceLines =
-      pTextLayout->GetPieceLines();
-  int32_t iCount = pPieceLines->GetSize();
-  for (int32_t i = 0; i < iCount; i++) {
-    CXFA_PieceLine* pPieceLine = pPieceLines->GetAt(i);
-    int32_t iPieces = pPieceLine->m_textPieces.GetSize();
-    for (int32_t j = 0; j < iPieces; j++) {
-      XFA_TextPiece* pPiece = pPieceLine->m_textPieces.GetAt(j);
-      if (pPiece->pLinkData && pPiece->rtPiece.Contains(x, y)) {
+
+  for (const auto& pPieceLine : *pTextLayout->GetPieceLines()) {
+    for (const auto& pPiece : pPieceLine->m_textPieces) {
+      if (pPiece->pLinkData && pPiece->rtPiece.Contains(x, y))
         return pPiece->pLinkData->GetLinkURL();
-      }
     }
   }
   return nullptr;